Archive for October 27th, 2010

The Problem

You've probably read in the news about a Firefox extension called "Firesheep". It has been developed by Eric Butler and recently presented at ToorCon, pretty much to demonstrate a rather obvious thing: if a website which handles passwords or other sensitive bits doesn't enforce HTTPS encryption all over its domain, rather than just on login pages like many do (including Facebook and other popular social networks), your data can be easily sniffed and reused by malicious third parties. Furthermore, under specific circumstances (e.g. when you use a TOR), a MITM attacks can silently redirect you to a fake HTTP version of the site, and there's not much a web site can do about this without client's help, other than consistently using HTTPS-only cookies.

HSTS To The Rescue!

What you may or may not know is that a technology called HSTS (HTTP Strict Transport Security) has been designed, mainly after Paypal's input, in order to help websites make HTTPS setup more reliable and safe against hijacking attacks. HSTS has been implemented by NoScript and by the Chrome web browser more than one year ago, and it's currently shipping also in Firefox 4 betas and development builds.

HSTS is a passive security enhancer, though, because it needs websites to opt-in by sending a Strict-Transport-Security HTTP header, which asks the browser to automatically "upgrade" every subsequent request for the same site to secure connections (HTTPS), no matter if it had been initiated as plain HTTP.

Being Proactive

Since HSTS is really simple and easy to understand, it would be wonderful if every web site supporting HTTPS deployed HSTS too. Regrettably we're not there yet: www.paypal.com (quite obviously) and secure.informaction.com are among the very few which already do, but for instance addons.mozilla.org currently doesn't, nor does Google itself.

Fortunately NoScript, for more than two years now, has also allowed us to manually select the web sites which we want to browse via HTTPS only, by adding them in the NoScript Options|Advanced|HTTPS panel. Of course not all the web sites like to have HTTPS pushed down their throats, so you should pick only those already supporting HTTPS, and still may expect a tiny few of them to misbehave. However your online banking, your webmail and the aforementioned addons.mozilla.org are probably great candidates to be added in NoScript's "force HTTPS" list right now.